Tracking Walls, Take-It-Or-Leave-It Choices, the GDPR, and The

EDPL 3|2017 Tracking Walls, Take-It-Or-Leave-It Choices 1

Tracking Walls, Take-It-Or-Leave-It Choices, the GDPR, and the ePrivacy Regulation Frederik J Zuiderveen Borgesius, Sanne Kruikemeier, Sophie C Boerman and Natali Helberger*

On the internet, we encounter take-it-or-leave-it choices regarding our privacy on a daily basis. In Europe, online tracking for targeted advertising generally requires the internet users’ consent to be lawful. Some websites use a tracking wall, a barrier that visitors can only pass if they consent to tracking by third parties. When confronted with such a tracking wall, many people click ‘I agree’ to tracking. A survey that we conducted shows that most people find tracking walls unfair and unacceptable. We analyse under which conditions the ePrivacy Di- rective and the General Data Protection Regulation allow tracking walls. We provide a list of circumstances to assess when a tracking wall makes consent invalid. We also explore how the EU lawmaker could regulate tracking walls, for instance in the ePrivacy Regulation. It should be seriously considered to ban tracking walls, at least in certain circumstances.

I. Introduction First, we give a brief introduction to online tracking and tracking walls. Next, we report on a large- On the internet, we encounter many take-it-or-leave-it scale survey we conducted in the Netherlands: most choicesregardingourprivacy.Socialnetworksitesand people consider tracking walls unfair, and do not find email services typically require users to agree to a pri- it acceptable when they have to disclose their person- vacy statement or to terms and conditions – if people al data in exchange for using a website. do not agree, they cannot use the service. Some web- Then we analyse whether such tracking walls are sites use a tracking wall, a barrier that visitors can on- allowed under European data privacy law, more ly pass if they agree to tracking by third parties. When specifically the ePrivacy Directive, and the General confronted with such take-it-or-leave-it choices, many Data Protection Regulation (GDPR).1 The European people might click ‘I agree’ to any request. It is debat- Commission has published a proposal for an ePriva- able whether people have meaningful control over cy Regulation, which should replace the ePrivacy Di- personal information if they have to consent to track- rective.2 That ePrivacy proposal does not contain spe- ing to be able to use services or websites. This article cific rules regarding tracking walls. We explore how explores the problem of tracking walls, and discusses the EU lawmaker could deal with tracking walls, and several options for the EU lawmaker to regulate them. discuss four options: (i) no specific rules for tracking

* Dr Frederik J Zuiderveen Borgesius is a researcher at the Institute cil, ERC, under Grant 638514 (PersoNews - PI N Helberger). The for Information Law (IViR) of the University of Amsterdam. Dr authors would like to thank Joyce Neys, Candida Leone, Sarah Sanne Kruikemeier is assistant professor Political Communication Eskens, the participants in the discussion at the TPRC 44th and Journalism at the Amsterdam School of Communication Research Conference on Communications, Information and Research (ASCoR) of the University of Amsterdam. Dr Sophie C Internet Policy, Washington (October 2016), and the anonymous Boerman is assistant professor of Persuasive Communication at peer reviewers for their valuable comments on drafts for this the Amsterdam School of Communication Research (ASCoR) of paper. the University of Amsterdam. Prof Dr Natatali Helberger is 1 We use the phrase ‘data privacy law’ if we refer to both the rules professor Information Law at the Institute for Information Law in the ePrivacy Directive and in data protection law. (IViR) of the University of Amsterdam. For correspondence: 2 Proposal for a Regulation of the European Parliament and of the All authors cooperate in the Personalised Communication Council, concerning the respect for private life and the protection Project . The research of personal data in electronic communications and repealing for this article was made possible with the help of research Directive 2002/58/EC (Regulation on Privacy and Electronic funding from the University of Amsterdam (Personalised Commu- Communications) COM(2017) 10 final, accessed 7 September 2017. 2 Tracking Walls, Take-It-Or-Leave-It Choices EDPL 3|2017

walls; (ii) ban tracking walls in certain circum- had to advertise in certain media to reach certain peo- stances; (iii) fully ban tracking walls; (iv) ban all web- ple. The price of an ad is based, among other things, wide tracking (third party tracking). We argue that on the number of readers.10 By way of illustration, a the lawmaker should seriously consider options (ii) printed newspaper with many wine lovers among its and (iii): a partial or complete ban of tracking walls.3 readers could be a good place for a wine merchant to advertise. And the book review pages of a printed newspaper could be a good place to advertise a book. II. Online Tracking The newspaper assembles an audience, and provides the advertiser access to this audience. Contextual ad- People can use many online services, such as web- vertising is a type of online advertising that resem- sites, email services, and search engines, without pay- bles print advertising, as ads are placed in the con- ing money. Large amounts of data about users are text of related content. With contextual online adver- usually collected through such services. Those data tising, advertisers aim to reach people by showing are typically used for behavioural targeting, a mar- ads on certain websites or pages – for example ads keting technique which involves monitoring people’s for wine on websites about wine. online behaviour, and using the collected informa- By contrast, with behavioural targeting, an ad net- tion to show people individually targeted advertis- work can show a wine ad anywhere on the web to ing.4 people whose profile suggests that they like wine. An In a simplified example, behavioural targeting ad network does not have to buy expensive ad space works as follows. Advertising networks are compa- on a large professional website, such as a newspaper nies that serve advertising on websites. Such ad networks track people’s browsing behaviour over multiple websites, using cookies or similar technologies. 3 The paper builds on, and includes sentences from: Frederik J (We speak of ‘cookies’ for readability, but ad networks Zuiderveen Borgesius, Improving privacy Protection in the Area of use many other tracking technologies too, such as Behavioural Targeting (Kluwer law International 2015) and Fred- erik J Zuiderveen Borgesius et al, ‘An Assessment of the Commis- 5 flash cookies and device fingerprinting. ) By follow- sion’s Proposal on Privacy and Electronic Communications’ (Directorate-General for Internal Policies, Policy Department C: ing people’s browsing behaviour, ad networks build Citizen’s Rights and Constitutional Affairs, May 2017) accessed 7 September 2017. more targeted ads. For instance, an ad network may 4 Sophie Boerman, Sanne Kruikemeier and Frederik J Zuiderveen Borgesius, ‘Online behavioral advertising: a literature review and show wine advertising to people who visited web- research agenda’ (2017) 3 Journal of Advertising 363-376. sites about wine. Many websites allow dozens of ad 5 Chris Jay Hoofnagle et al, ‘Behavioral advertising: the offer you networks and other third parties to store tracking cannot refuse’ (2012) 6 Harvard Law & Policy Review 273. cookies on their visitors’ computers.6 Tracking peo- 6 Ibrahim Altaweel, Nathaniel Good and Chris Jay Hoofnagle, ‘Web Privacy Census’ (Technology Science, 15 December 2015) ple across multiple websites (for instance by ad net- accessed 7 September works) is called ‘web-wide tracking’ or ‘third party 2017. 7 World Wide Web Consortium, ‘Tracking Preference Expression tracking’. Tracking within one website could be called (DNT), W3C Candidate Recommendation 20 August 2015’ ‘site-wide tracking’.7 (2015) accessed 7 Septem- ber 2017; Article 29 Working Party, ‘Opinion 01/2017 on the Websites are often funded by advertising. Some- Proposed Regulation for the ePrivacy Regulation (2002/58/EC)’ (4 times, advertisers only pay a website publisher if April 2017) 18. somebody clicks on an ad. Few people click on ads. 8 Dave Chaffey, ‘US, Europe and Worldwide display ad click- through rates statistics summary’ (Smartinsights, 8 March 2017) Roughly, if an ad is shown 10,000 times, less than five ac- people click on that ad (a ‘click through rate’ of cessed 7 September 2017: ‘Across all ad formats and placements 0.05%).8 Behavioural targeting was developed to Ad CTR is just 0.05%. So, this is just than 5 clicks per 10000 make more people click on ads. Some claim that be- impressions (...)’ 9 See, Howard Beales, ‘The value of behavioral targeting’ (Network havioural targeting is more effective than non-target- Advertising Initiative, 2010) accessed 31 August 2017. See 9 also, Katherine J Strandburg, ‘Free Fall: The Online Market’s publishers. Consumer Preference Disconnect’ (University of Chicago Legal However, in the long term, behavioural targeting Forum, 2013) 95 accessed 28 September 2017. may lead to less income for certain website publish- 10 Fernando Bermejo, The internet audience: Constitution & mea- ers. With traditional advertising models, advertisers surement (Peter Lang 2007). EDPL 3|2017 Tracking Walls, Take-It-Or-Leave-It Choices 3

III. Tracking Walls

It is widely assumed that online tracking and behavioural targeting raise serious privacy concerns.12 In Europe, online tracking for targeted advertising generally requires the internet users’ consent to be lawful (see Section V below). Companies use different strategies to collect people’s consent to online tracking. One strategy is offering people a take-it-or-leave- it-choice. For example, some websites use ‘tracking walls,’ also called ‘cookie walls’ – barriers that visitors can only pass if they allow the website or its part- ners to track them. In Figure 1 we give an example of such a tracking wall.13 People can only enter the website if they click ‘I agree’ and thus consent to web-wide tracking. If people do not click ‘I agree,’ they cannot enter the website. Text in the pop-up (informal translation): ‘RTL uses cookies By clicking on “Yes, I agree” you give RTL permis- sion to collect, with cookies and similar technologies, (personal) data, to store these data, and to process these data as described in our privacy and cookie statement. These data, for instance about Figure 1. An example of a tracking wall. your location and about which videos you watch, are used to improve our service and to show you advertisements and videos which are tailored to website, to advertise to an individual. The ad network your use. This website is part of the RTL network. can reach that individual when he/she visits a small Consent on this website implies consent for placing website, where advertising space is cheaper.11 Hence, cookies on multiple websites or RTL, and for com- the ad network spends less money on large profes- bining data that are collected on these websites of sional websites. In sum, advertising funds many ser- RTL. Third parties, such as advertisers and social vices. But in the long term, behaviourally targeted media networks, can place tracking cookies to show advertising may reduce income for certain website you personalised advertisements or to follow your publishers. website visits if you surf to websites outside the RTL network. You can find more information about cookies in the privacy and cookie statement of RTL. You can con- 11 ibid; see also, Joseph Turow, The Daily You: How the New Advertising Industry is Defining Your Identity and Your Worth tact the RTL customer service on 035 671 87 18 (op- (Yale University Press 2011); Alexis Madrigal, ‘A Day in the Life of tion 2) or [email protected]. a Digital Editor, 2013’ The Atlantic (6 March 2013) accessed 31 August 2017. 12 See for instance, Turow (n 11); Julia Angwin, Dragnet Nation: A Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance (Times Books 2014); Article 29 Working Party, IV. Survey Results: Most People Find ‘Opinion 2/2010 on online behavioural advertising’ (22 June 2010) WP 171. Tracking Walls Unacceptable 13 See for another example, Ronald Leenes and Eleni Kosta, ‘Taming the cookie monster with Dutch law – A tale of regulatory failure’ We conducted a survey among the Dutch public, to (June 2015) 31(3) Computer Law & Security Review 317-335. examine the public opinion regarding tracking walls. 14 Screenshot 1 March 2017, when visiting from an IP address in the Netherlands. A total of 1,235 people answered the survey ques- 4 Tracking Walls, Take-It-Or-Leave-It Choices EDPL 3|2017

Figure 2. The percent- age of respondents who think tracking walls are (not) acceptable (N = 1235).

tions. This sample is representative for the Dutch ing funds many media. Do people find certain trade- population: the findings can be extrapolated to the offs more acceptable or fair than others? general public.15 We introduced our questions about We asked people two questions about trade-offs: tracking walls with the text: ‘To view or use a [web a trade-off where they have to disclose personal data shop / news website / health website / website with in exchange for using a website, and a trade-off where public transportation timetables], you are sometimes they have to accept that there are ads on a website. required to accept that your personal information is The first question started with the following text: collected through the website. If you do not click ‘OK’ ‘Websites are offered for free. This is possible because when encountering a pop-up or a tracking wall, you the website lets other companies collect personal in- cannot view the website.’ This introductory text was formation through the website, for instance about the then followed by two questions: ‘To what extent do things you click on.’ This introductory text was then you think this is acceptable?,’ and ‘To what extent do followed by the following questions: ‘To what extent you think this is fair?’16 The results are presented in do you think it is acceptable if websites are free, in Figures 2 and 3. exchange for collecting your personal information?’ The results show that a majority of people (rough- The next question started with the following text: ly 60%) believes it is neither acceptable nor fair when ‘Websitesareofferedforfree.Thisispossiblebecause websites use tracking walls. Roughly, 20% finds the website contains ads.’ This introductory text was tracking walls acceptable and fair; 20% is neutral. There do not appear to be substantial differences be- 15 In our sample, the average age is 54.1 years old (ranged between tween the types of website – shopping, news, health, 18 and 89 years old) and 51.7% is female. 32.2% of the respon- or public transportation. For all these website types, dents had a lower level of education, 33.2% has a middle level of education, and 34.4% had a higher level of education (no infor- most people believe tracking walls are unacceptable mation about education for two cases). The data were collected and unfair. in April 2016 by CenterData, a research company managing a research panel . People are used to trade-offs when using media or 16 Respondents could answer these questions on a seven-point scale websites. Making access to ‘free’ content condition- ranging from 1 (Absolutely not) to 7 (Absolutely). We recoded al upon the acceptance of advertising, for example, these answers for presentation in the Figures: answers 1 till 3 were recoded as not acceptable or not fair; answer 4 as neutral; has a long tradition in the media sector, as advertis- answer 5 till 7 as acceptable or fair. EDPL 3|2017 Tracking Walls, Take-It-Or-Leave-It Choices 5

Figure 3. The percent- age of respondents who think tracking walls are (not) fair (N = 1235).

Figure 4. The percent- age of respondents who believe (i) the collection of personal data or (ii) advertising on websites is (not) acceptable (N = 1235).

then followed by the following question: ‘To what ex- in exchange for showing ads?’17 These questions thus tent do you think it is acceptable if websites are free, provide insights into how acceptable people find it if, in exchange for visiting a so-called ‘free’ website, they have to accept that their data are collected, or that a site includes advertising. The results are pre- 17 Respondents could answer these questions on a seven-point scale ranging from 1 (Absolutely not) to 7 (Absolutely). We recoded sented in Figure 4. these answers for presentation in the Figures: answers 1 till 3 A majority (64.0%) says that trading personal da- were recoded as not acceptable; answer 4 as neutral; answers 5 till 7 as acceptable. ta against the use of a ‘free’ website is unacceptable. 6 Tracking Walls, Take-It-Or-Leave-It Choices EDPL 3|2017

Only 44.9% thinks that is not acceptable if a ‘free’ online activities monitored (for example what you website contains ads. Hence, more people seem to read, the websites you visit) in exchange for unre- dislike a model in which they have to disclose per- stricted access to a certain website.’22 sonal data, than a model in which they are exposed While most people find tracking walls unaccept- to ads. able, many people might click ‘OK’ when being con- Nowadays, most online advertising is combined fronted with tracking walls.23 It seems that many peo- with cookies or other tracking technologies. In prac- ple see disclosing their personal data as inevitable. tice, people can thus only accept online advertising In an EU-wide survey, 58% agree that ‘[t]here is no by also accepting online tracking.18 However, adver- alternative than to provide personal information if tising does not necessarily require tracking and tar- you want to obtain products or services.’24 And 43% geting. For instance, tracking people is not necessary agree with the statement ‘You feel you have to pro- for contextual advertising, such as ads for cars on vide personal information online’.25 Similarly, sur- websites about cars. veys in the US show that ‘a majority of Americans Overall, 32.6% of the people accept advertising if are resigned to giving up their data’.26 they use a ‘free’ website, and 22.4% are neutral on There appears to be a ‘privacy paradox’: in surveys, this issue. The fact that many people accept that ‘free’ people say they care about privacy, but people often content is advertising-funded, or are indifferent divulge personal data in exchange for minimal ben- about it, is not surprising.19 Advertising-funded con- efits or convenience, and relatively few people use tent has been around for more than a century. With- technicaltoolstoprotecttheirprivacyonline.27 Schol- out paying with money, people can listen to commer- ars from various disciplines argue that people do care cial radio and read certain advertising-funded news- about privacy, but have difficulties acting according papers.20 Trade-offs where companies capture data to their privacy preferences.28 Similarly, people who about their visitors are more recent than trade-offs care about the environment might not study the la- where people are confronted with advertising.21 bel of every supermarket product to establish if it was Our survey results are line with a EU-wide Euro- produced in an environmentally friendly way. barometer survey, which found in 2017 that 64% of Insights from behavioural studies can help to ex- the respondents finds it unacceptable to ‘hav[e] your plain the privacy paradox. ‘Present bias’, sometimes

18 One of the only ways to protect oneself against online tracking is cookiewet-heeft-weinig-opgeleverd> accessed 7 September using an ad blocker. See, Craig Wills and Doruk Uzunoglu, 2017. ‘What Ad Blockers Are (and Are Not) Doing’ (Computer Science 24 European Commission, ‘Special Eurobarometer 431, Data Protec- Department, Worcester Polytechnic Institute, 2016) accessed 7 September ion/archives/ebs/ebs_431_sum_en.pdf> accessed 7 September 2017. 2017. 19 Our survey results in the Netherlands resemble results from 25 ibid 43. other research. For instance, after interviews in the US in 2010, McDonald and Cranor conclude: ‘people understand ads support 26 Joseph Turow, Michael Hennessy and Nora Draper, ‘The Tradeoff free content, but do not believe data are part of the deal.’ Aleecia Fallacy. How Marketers Are Misrepresenting American Con- McDonald and Lorrie Faith Cranor, ‘Beliefs and Behaviors: Inter- sumers and Opening Them Up to Exploitation’ (A report from the net Users’ Understanding of Behavioral Advertising’ (38th Re- Annenberg School for Communication, University of Pennsylva- search Conference on Communication, Information and Internet nia, June 2015) 1 TradeoffFallacy_1.pdf> accessed 7 September 2017. See for accessed 7 September 2017. similar results (based on focus groups), Katharine Sarikakis and Lisa Winter, ‘Social Media Users’ Legal Consciousness About 20 See generally: Tim Wu, The Attention Merchants: The Epic Privacy’ (2017) 3(1) Social Media Society 1-14. Scramble to Get Inside Our Heads (Knopf 2016). 27 See for instance: Susan Barnes, ‘A privacy paradox: Social net- 21 It is not new that companies capture data about customers. For working in the United States’ (2006) 11(9) First Monday ac- cards often enable shops to track the shopping behaviour of cessed 7 September 2017. customers. 28 See for instance, Sabine Trepte et al, ‘What do people know 22 European Commission, ‘Flash Eurobarometer 443, ePrivacy, full about privacy and data protection? Towards the “Online Privacy report’ (December 2016) Question 5.1 (93/T.24) accessed 7 September 2017. Reforming data protection: the global perspective (Springer 23 For instance, in a 2014 survey in the Netherlands, half of the forthcoming); Alessandro Acquisti and Jens Grossklags, ‘What respondents said they usually clicked ‘OK’ to cookie pop-ups. Can Behavioral Economics Teach Us About Privacy?’ in Alessan- Dutch Consumer Organisation (Consumentenbond), ‘Cookiewet dro Acquisti et al (eds), Digital Privacy: Theory, Technologies and heeft bar weinig opgeleverd [Cookie law didn’t help much]’ Practices (Auerbach Publications, Taylor and Francis Group (2014)

called myopia, refers to people’s tendency to focus rective requires, in short, companies to ask prior the more on the present than on the future. People of- internet user’s prior consent before they use track- ten choose for immediate gratification, and often ig- ing cookies and similar technologies.32 The Directive nore future costs. Many people find it hard to stick contains exceptions to the consent requirement, for with a healthy diet, or to save money for later.29 Be- cookies that are necessary for communication and cause of present bias, people might click ‘I agree’ to for services requested by the user.33 The Directive’s online tracking if that gives them immediate access consent requirement applies to many tracking tech- to a website – even if they were planning to protect nologies, such as several types of cookies, and some their privacy.30 If a friend emails a link to a good ar- forms of device fingerprinting.34 For the definition ticle, the enjoyment of reading that article is imme- of consent, the ePrivacy Directive refers to the gen- diate (even if one must accept tracking cookies), eral data protection law (the Data Protection Direc- while the privacy risks are often further in the fu- tive).35 Under the Data Protection Directive, valid ture. consent requires a (i) freely given, (ii) specific, and In conclusion, most people find tracking walls un- (iii) informed (iv) indication of wishes.36 acceptable and unfair, and think it is not acceptable Hence, consent must be ‘freely given’ to be valid. when they have to disclose their personal data in ex- For instance, say an employer asks an employee for change for using a website. In the next section, we consent to process his or her personal data. Such con- discuss how EU data privacy law deals with tracking sent might not be ‘freely given’, because of the pow- walls and similar take-it-or-leave-it choices. er imbalance. Employees might fear adverse conse- quences if they do not consent.37 The Court of Jus- tice of the European Union says that people apply- V. Tracking Walls and EU Data Privacy ing for passports cannot be deemed to have freely Law consented to have their fingerprints taken, because people need a passport.38 In short, consent is not 1. The ePrivacy Directive and Tracking ‘freely given’, and therefore invalid, if people lack a Walls real choice. From a data protection perspective, the question In European data privacy law, informed consent and is whether consent is ‘freely given’ when people individual choice play a central role, like in many da- agree to web-wide tracking after encountering a ta privacy rules around the world.31 The ePrivacy Di- tracking wall.39 Among others, Kosta suggests that a

29 Hanneke Luth, ‘Behavioural Economics in Consumer Policy: The 33 art 5(3) ePrivacy Directive 2002/58/EC (updated in 2009). See, Economic Analysis of Standard Terms in Consumer Contracts Article 29 Working Party, ‘Opinion 04/2012 on Cookie Consent Revisited’ (PhD thesis, University of Rotterdam 2010) s 3.2.2, e; Exemption’ (7 June 2012) WP 194. Cass Sunstein and Richard Thaler, Nudge: Improving Decisions 34 Eleni Kosta, ‘Peeking into the cookie jar: the European approach about Health, Wealth, and Happiness (Yale University Press 2008) towards the regulation of cookies’ (2013) 21 International Journal ch 6. of Law and Information Technology 1. 30 Alessandro Acquisti, ‘Privacy in Electronic Commerce and the 35 For the definition of consent, art 2(f) ePrivacy Directive Economics of Immediate Gratification’ (Proceedings of the 5th 2002/58/EC (updated in 2009) refers to the Data Protection ACM Conference on Electronic Commerce,, Association for Directive. Computing Machinery, New York 2004) 21–29; Katherine Strand- burg, ‘Free Fall: the Online Market’s Consumer Preference Dis- 36 art 2(h) Data Protection Directive. connect’ (University of Chicago Legal Forum, 2013) 95, 149 37 Eleni Kosta, ‘Consent in European Data Protection Law’ (PhD accessed 7 September 2017. thesis, University of Leuven 2013) (Martinus Nijhoff Publishers 31 See on data privacy law around the world, Graham Greenleaf, 2013) 386; Article 29 Working Party, ‘Opinion 15/2011 on the ‘Global Data Privacy Laws 2017: 120 National Data Privacy definition of consent’ (13 July 2011) WP 187, 13-14. Laws, Including Indonesia and Turkey’ (30 January 2017) 145 38 Case C-291/12 Schwartz v Stadt Bochum [2013] Privacy Laws & Business International Report, 10-13 accessed 7 September 2017. make [international] journeys are not free to object to the processing of their fingerprints. In those circumstances, persons 32 art 5(3) ePrivacy Directive 2002/58/EC (updated in 2009). Gener- applying for passports cannot be deemed to have consented to al data protection law probably also requires the internet user’s that processing.’ consent for most online tracking practices. See, Frederik J Zuiderveen Borgesius, ‘Personal Data Processing for Behavioural 39 See eg, Leenes and Kosta (n 13); Corien Prins and Lokke Moerel, Targeting: Which Legal Basis?’ (2015) 5(3) International Data ‘Privacy for the Homo digitalis: Proposal for a new regulatory Privacy Law 163–176 doi: 10.1093/idpl/ipv011. But in this framework for data protection in the light of big data and the paper, we focus on the consent requirement in the ePrivacy internet of things’ (2016) Directive. accessed 7 September 2017. 8 Tracking Walls, Take-It-Or-Leave-It Choices EDPL 3|2017

tracking wall makes consent involuntary: ‘In such a 2. The GDPR and Tracking Walls case the user does not have a real choice, thus the consent is not freely given.’40 Indeed, in some cases Compared to the Data Protection Directive, the re- consent may not be ‘freely given’ when a website us- quirements for valid consent have been tightened in es a tracking wall. For example, the Dutch Data Pro- the GDPR. The GDPR defines consent as ‘any freely tection Authority says that the national public broad- given, specific, informed and unambiguous indica- casting organisation is not allowed to use a tracking tion of the data subject’s wishes by which he or she, wall. The Data Protection Authority says that the by a statement or by a clear affirmative action, signi- public broadcaster has a ‘situational monopoly,’ be- fies agreement to the processing of personal data re- cause the only way to access certain information on- lating to him or her.’47 Article 7 of the GDPR discuss- line is through the broadcaster’s website. This situa- es when consent is freely given: tional monopoly makes people’s consent involun- When assessing whether consent is freely given, tary.41 utmost account shall be taken of whether, inter The Article 29 Working Party, in which European alia, the performance of a contract, including the Data Protection Authorities cooperate, recommends provision of a service, is conditional on consent to not using tracking walls, but does not say that cur- the processing of personal data that is not neces- rent law prohibits them. The Working Party says that sary for the performance of that contract.48 people ‘should have an opportunity to freely choose between the option to accept some or all cookies or Hence, under Article 7 of the GDPR, to assess whether to decline all or some cookies.’42 consent is freely given (and therefore valid), it must In some Member States access to certain websites be considered whether a service is made conditional can be made conditional on acceptance of cookies, on consent. This rule can be applied to tracking walls. however generally, the user should retain the pos- Web-wide tracking is not necessary for providing a sibility to continue browsing the website without receiving cookies or by only receiving some of them, those consented to that are needed in relation to the purpose of provision of the website ser- 40 Kosta (n 34) 17. vice, and those that are exempt from consent re- 41 College Bescherming Persoonsgegevens, ‘Brief aan de staatssecre- taris van Onderwijs, Cultuur en Wetenschap, over beantwoording quirement. It is thus recommended to refrain from Kamervragen i.v.m. cookiebeleid [Letter to the State Secretary of the use of consent mechanisms that only provide Education, Culture and Science, on answers to parliamentary questions about cookie policy]’ (31 January 2013) accessed 7 September 2017; Natali Helberger, ‘Freedom of Expression and the Dutch Cookie-Wall’ (March Institute for Information Law, 2013) 18 accessed 7 September 2017. 42 Article 29 Working Party 2013, ‘Working Document 02/2013 to specific website content may still be made condi- providing guidance on obtaining consent for cookies’ (2 October tional on the well-informed acceptance of a cookie or 2013) WP 208, 5. similar device, if it is used for a legitimate purpose.’ 43 ibid 5 (internal footnote omitted, emphasis added). But the Working Party suggests that Recital 25 is not 44 ibid 5. meant to allow companies to put the whole website 45 ibid 5. behind a tracking wall: ‘[t]he emphasis on “specific 46 But see the English Information Commissioner’s Office, which says: ‘the individual must have a genuine choice over whether or website content” clarifies that websites should not not to consent to marketing. Organisations should not coerce or unduly incentivise people to consent, or penalise anyone who make conditional “general access” to the site on ac- refuses.’ (Information Commissioner’s Office, ‘Direct Marketing. ceptance of all cookies.’44 The Working Party adds Data Protection Act, Privacy and Electronic Communications Regulations’, Version 2.2, 14 accessed 7 September 2017). careful phrasing suggests that the Working Party 47 art 4(11) General Data Protection Regulation. does not mean to say that current law prohibits all 46 48 art 7(4) General Data Protection Regulation. See generally on art tracking walls. This seems to be the correct inter- 7(4) General Data Protection Regulation: Bojana Kostic and pretation of current law. In the next section, we turn Emmanuel Vargas Penagos, ‘The freely given consent and the “bundling” provision under the GDPR’ (2017) 153 Computerrecht to future law: the GDPR. 217-222. EDPL 3|2017 Tracking Walls, Take-It-Or-Leave-It Choices 9

website, according to the Article 29 Working Party.49 ditionally, sometimes a data subject’s consent may The GDPR does not say that take-it-or-leave-it choic- be invalid because of a clear imbalance between the es always lead to invalid consent. Rather, ‘utmost ac- data subject and a company. If there is a clear imbal- count shall be taken’ of whether a contract or service ance between a large company and a data subject, is made conditional on consent.50 Recital 43 suggests that a tracking wall of such a com- The GDPR’s recitals make the requirements for pany makes consent involuntary, and therefore in- ‘freely given’ consent even stricter. Recitals in the pre- valid. When a large company, such as Facebook, amble of a legal instrument of the EU have less legal processes personal data, it could be argued that a clear weight than the instrument’s provisions. Neverthe- imbalance exists between the data subject and the less, recitals can be used to interpret provisions.51 company (the controller). After all, the data subject Recital 43 of the GDPR states: and Facebook do not have equal bargaining power; In order to ensure that consent is freely given, con- some Facebook users may feel that they have no sent should not provide a valid legal ground for choice to consent. the processing of personal data in a specific case The GDPR’s preamble gives more arguments for where there is a clear imbalance between the da- invalidating consent when a website uses a tracking ta subject and the controller, in particular where wall. Recital 42 says: ‘Consent should not be regard- the controller is a public authority and it is there- ed as freely given if the data subject has no genuine fore unlikely that consent was freely given in all or free choice or is unable to refuse or withdraw con- the circumstances of that specific situation. Con- sent without detriment.’53 If not being able to use a sent is presumed not to be freely given if it does website is seen as ‘detriment’, this recital seems to not allow separate consent to be given to different make consent invalid when a website uses a tracking personal data processing operations despite it be- wall. Recital 32 adds that ‘[i]f the data subject’s con- ing appropriate in the individual case, or if the per- sent is to be given following a request by electronic formance of a contract, including the provision of means, (…) the request must be (…) not unnecessari- a service, is dependent on the consent despite such ly disruptive to the use of the service for which it is consent not being necessary for such perfor- provided.’ As far as tracking walls are unnecessarily mance.52 disruptive, they do not comply with this recital. In conclusion: the GDPR does not categorically Recital 43 could be read as a presumption that track- prohibit tracking walls and similar take-it-or-leave-it ing walls cannot be used to obtain valid consent. Af- choices. But compared to the Data Protection Direc- ter all, a tracking wall typically makes providing a tive, the GDPR is much stricter on the conditions un- service dependent on the data subject’s consent. Ad- der which consent is ‘freely given’.

49 Article 29 Working Party, ‘Opinion 03/2013 on purpose limita- VI. The Proposed ePrivacy Regulation tion’ (2 April 2013) WP 203, 46; Article 29 Working Party, ‘Opin- ion 06/2014 on the notion of legitimate interests of the data controller under article 7 of Directive 95/46/EC’ (9 April 2014) In January 2017, the European Commission pub- WP 217, 47. lished a proposal for an ePrivacy Regulation.54 Like 50 art 7(4) General Data Protection Regulation. the ePrivacy Directive, the ePrivacy proposal con- 51 Todas Klimas and Jurate Vaičiukaitė, ‘The Law of Recitals in European Community Legislation’ (2008) 15(1) ILSA Journal of tains a provision that applies to cookies and online International & Comparative Law. tracking. Article 8(1) of the ePrivacy proposal reads 52 recital 43 General Data Protection Regulation. The European Parliament had proposed a similar sentence in a provision (rather as follows: than in a recital); see, art 7(4) LIBE Compromise accessed 7 September 2017. terminal equipment and the collection of informa- 53 recital 41 General Data Protection Regulation. tion from end-users’ terminal equipment, includ- 54 Proposal for a Regulation of the European Parliament and of the ing about its software and hardware, other than Council, concerning the respect for private life and the protection by the end-user concerned shall be prohibited, ex- of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic cept on the following grounds: Communications) COM(2017) 10 final accessed 7 September 2017. out the transmission of an electronic communica- 10 Tracking Walls, Take-It-Or-Leave-It Choices EDPL 3|2017

tion over an electronic communications network; ties as individuals have little negotiation power vis- or à-vis such a company. As Bygrave notes, ‘fairness im- (b) the end-user has given his or her consent; or plies a certain protection from abuse by data con- (c) it is necessary for providing an information so- trollers of their monopoly position.’60 ciety service requested by the end-user; or Sometimes, for other reasons it is not a realistic (d) if it is necessary for web audience measuring, option for people to go to a competitor, for instance provided that such measurement is carried out by because of a lock-in situation. In a lock-in situation, the provider of the information society service re- it is difficult or costly to leave a service.61 To illus- quested by the end-user.55 trate, when all one’s friends are on Facebook, joining another social network site makes little sense. In such Roughly speaking, Article 8(1) of the ePrivacy propos- a case, it is hardly a realistic option to go to a priva- al replaces Article 5(3) of the current ePrivacy Direc- cy-friendly competitor. tive. The proposed Article 8(1) applies to cookies and It is dubious whether consent is still ‘freely given’ to many other tracking technologies; a cookie ‘use[s] if a company uses a tracking wall and there are no processing and storage capabilities of terminal equip- competitors that offer a similar, more privacy-friend- ment’.56 Like the ePrivacy Directive, the ePrivacy pro- ly service.62 Somebody who does not want to disclose posal refers to general data protection law (the GDPR) personal data would not have the possibility to use a for the definition of consent.57 The ePrivacy propos- certain type of service.63 al does not contain specific rules on tracking walls.58 Additionally, some people may be more vulnera- ble to pressure – such situations call for a more privacy-protective interpretation of the rules. To illus- VII. Four Options to Regulate Tracking trate: a tracking wall is questionable when a service Walls is aimed at, or often used by, children.64 After all, children are less likely to fully understand the implica- How could the lawmaker deal with tracking walls? We discuss four options: (i) no specific rules for tracking walls; (ii) ban tracking walls in certain circum- 55 art 8(1) ePrivacy proposal. See also recitals 6, 20, and 21 of the stances; (iii) fully ban tracking walls; (iv) ban all web- ePrivacy proposal. wide tracking. (A general discussion of Article 8(1) of 56 art 8(1) ePrivacy proposal. the ePrivacy proposal falls outside the scope of this 57 art 9(1) ePrivacy proposal. paper; we focus on tracking walls.59) 58 The ePrivacy proposal does mention take-it-or-leave-it choices in the context of art 6, in recital 18. 59 See generally on the ePrivacy proposal, Zuiderveen Borgesius (n 3). 1. Option (i): No Specific Rules for 60 Lee Bygrave, ‘Data protection law: approaching its rationale, logic and limits’ (PhD thesis, University of Oslo) (Kluwer Law Tracking Walls International 2002) 58. 61 Carl Shapiro and Hal Varian, Information Rules. A Strategic Guide A first option for the lawmaker is: not including spe- to the Network Economy (Harvard Business School Press 1999) 104. In a lock-in situation, ‘the costs of switching from one brand cific rules on tracking walls in the ePrivacy Regula- of technology to another are substantial.’ tion. If the lawmaker does not add specific rules, the 62 See s 28(3)(b) Federal Data Protection Act in Germany. voluntariness of consent would have to be assessed 63 Especially in markets with information asymmetry, there might separately for each tracking wall. The main question not be any privacy-friendly competitors. See, Tony Vila, Rachael Greenstadt and David Molnar, ‘Why We Can’t be Bothered to would be, in each case, whether people can ‘freely’ Read Privacy Policies. Models of Privacy Economics as a Lemons Market’ in Jean Camp and Stephen Lewis (eds), Economics of give consent in line with the GDPR’s requirements. Information Security (Springer 2004); Frederik J Zuiderveen Below we provide a first sketch for a circumstance Borgesius, ‘Behavioural Sciences and the Regulation of Privacy on the Internet’ in Anne Sibony and Alberto Alemanno (eds), “Nudg- catalogue, a non-exhaustive list of circumstances in ing and the Law - What can EU Law learn from Behavioural which it is particularly questionable whether consent Sciences? (Hart Publishing). is valid if a company offers a take-it-or-leave-it choice, 64 See, Article 29 Working Party: ‘The user should be put in a position to give free and specific consent to receiving behavioural for instance with a tracking wall. advertising, independently of his access to the social network If a company has a dominant position, there is service.’ Perhaps this remark is partly inspired by the fact that many children use social network sites [Article 29 Working more chance of imbalance between the contract par- Party, ‘Opinion 15/2011 on the definition of consent’ (n 37) 18]. EDPL 3|2017 Tracking Walls, Take-It-Or-Leave-It Choices 11

tions of that choice, or might feel more readily pres- sites that reveal special categories of data (sensitive sured into accepting what they may perceive as a non- data) to trackers; (ii) in the case of ‘tracking by choice. Similarly, people with a medical condition unidentified third parties for unspecified purpos- might be more easily pressured into consenting to es’;65 (iii) on government-funded websites; (iv) in cir- data collection if they believe that access to a partic- cumstances where the GDPR would make consent in- ular website will give them important health infor- valid; (v) in the case of ‘bundled consent for process- mation. In conclusion, all circumstances should be ing for multiple purposes. Consent should be granu- taken into account to assess the voluntariness, and lar.’66 (In 2017, the Working Party amended its posi- thus the validity, of consent. tion; now it calls for a complete ban of tracking But the GDPR’s requirements regarding consent walls.67) remain open for conflicting interpretations. More The five circumstances mentioned by the Work- guidance on the legality of tracking walls could im- ing Party are a good start. But tracking walls should prove legal clarity. Case law could clarify the condi- probably be banned in more circumstances. So far, tions under which consent should be considered to we have assessed tracking walls primarily from the be ‘freely given’. But it may take a long time until perspective of data protection law and the ePrivacy there is enough case law to have clarity. Therefore, Directive. But considerations from other policy areas specific rules on tracking walls might be preferable. can help to inform the debate about tracking walls. Our survey shows that most people think tracking walls are unfair, regardless of the type of website. 2. Option (ii) Ban Tracking Walls in However, there are arguments based on public poli- Certain Circumstances cy considerations in favour of introducing a distinc- tion between different websites, or types of websites, A second option is banning tracking walls under cer- when considering rules for tracking walls. tain circumstances. Indeed, in some circumstances, Below, we discuss public policy arguments for spe- tracking walls should not be allowed at all. Or, to be cific rules or bans in certain circumstances, in partic- more exact: in some circumstances, the law should ular arguments relating to freedom of expression and not allow companies to use a tracking wall to obtain media, professions with confidentiality require- valid consent for tracking. ments, and the public sector. We do not mean to give For instance, in 2016, the Article 29 Working Par- an exhaustive list; we mention these examples as a ty mentioned five circumstances in which tracking starting point for a discussion. walls should be banned. In short, the Working Party called for a prohibition of tracking walls: (i) on web- a. Freedom of Expression

One relevant area is media law. In media law, the right

65 Here, the Working Party probably refers to ‘real time bidding’. to freedom of expression is a guiding principle. The See Lukasz Olejnik, Tran Minh-Dung and Claude Castelluccia, right to freedom of expression in the European Con- ‘Selling Off Privacy at Auction’ (2013) Inria accessed 7 September 2017. vention on Human Rights (Article 10) and in the Char- 66 Article 29 Working Party, ‘Opinion 03/2016 on the evaluation ter of Fundamental Rights (Article 11) includes the and review of the ePrivacy Directive (2002/58/EC)’ (26 July 2016) freedom to receive information and ideas without in- WP 240, 17. terference by public authority.68 And the Internation- 67 Article 29 Working Party, ‘Opinion 01/2017 on the Proposed Regulation for the ePrivacy Regulation (2002/58/EC)’ (n 7). al Covenant on Civil and Political Rights protects the 69 68 art 10 European Convention on Human Rights. The European right to ‘seek’ information. Court of Human Rights (ECtHR) says that ‘the public has a right to receive information of general interest’ [Társaság a Szabadságjo- Article 10 of the European Convention on Human gokért v Hungary App no 37374/05 (ECtHR, 14 April 2009) para Rights does not merely require states to refrain from 26]. And ‘the internet plays an important role in enhancing the public’s access to news and facilitating the sharing and dissemi- interfering with the right to freedom of expression. nation of information generally (…).’ [Fredrik Neij and Peter Sometimes, states must take action to safeguard free- Sunde Kolmisoppi (The Pirate Bay) v Sweden App no 40397/12 (ECtHR, 19 February 2013 (inadmissible))]. dom of expression, says the European Court of Hu- 69 art19(2) International Covenant on Civil and Political Rights. See man Rights: ‘the genuine and effective exercise of generally on the right to receive information, Sarah Eskens, ‘Chal- freedom of expression under Article 10 may require lenged by news personalization: Five perspectives on the right to receive information’ (forthcoming). positive measures of protection, even in the sphere 12 Tracking Walls, Take-It-Or-Leave-It Choices EDPL 3|2017

of relations between individuals.’70 Article 10 does offer ‘universal access.’78 A situation in which the not grant a right to receive media content free of more privacy-conscious people are excluded from ac- charge, or a right not to be tracked online. Neverthe- cess to the programs of the public service media could less, Article 10 illustrates the importance of the pub- conflict with the requirement of universal access. lic’s interest in receiving information. Should specific rules be adopted for tracking walls Web-wide tracking may threaten the public’s free- on news websites and other commercial media? That dom to receive information. If access to media con- is an even harder question than the question regard- tent is made conditional (upon conditions such as the ing public service media. The mission of commercial obligation to pay a price or to accept tracking cook- media is harder to define than the mission of public ies), parts of the public may be excluded.For instance, service media. And many commercial publishers, privacy-aware people may not want to accept track- more than public service media, depend on advertising cookies and may therefore not access content that ing income. Moreover, commercial media can invoke is behind tracking walls. Moreover, tracking people’s their ‘freedom to conduct a business in accordance online behaviour could lead to a chilling effect. For with Union law and national laws and practices’, example, people might refrain from visiting certain which is granted in the Charter of Fundamental websites, or from reading about certain political top- Rights of the European Union.79 Commercial web- ics, if they fear that their behaviour is tracked. Peo- site publishers could argue that the right to conduct ple may want to keep their political views confiden- a business implies that they can set the conditions tial, and may not want others (including tracking for access.80 companies) drawing the wrong conclusions about their political opinions. Indeed, data protection law recognises personal data regarding political opinions 70 Khurshid Mustafa v Sweden App no 23883/06 (ECtHR, 16 March 2009) para 32. as data that deserve extra protection.71 71 art 9 GDPR; art 8 Data Protection Directive. Hence, privacy can be important for the right to 72 Neil Richards, Intellectual Privacy: Rethinking Civil Liberties in the receive information. As Richards notes, ‘a specific Digital Age (Oxford University Press 2014) 9. kind of privacy is necessary to protect our cherished 73 ibid 9. See also, JE Cohen, ‘Intellectual Privacy and Censorship of 72 the Internet’ (1997) 8 Seton Hall Constitutional Law Journal 693 civil liberties of free speech and thought.’ He speaks and Declaration of the Committee of Ministers on Risks to Funda- of ‘intellectual privacy’, the ‘protection from surveil- mental Rights stemming from Digital Tracking and other Surveil- lance Technologies (Adopted by the Committee of Ministers on lance or interference when we are engaged in the 11 June 2013) para 2; Joined Cases C‑203/15 and C‑698/15 Tele2 processes of generating ideas – thinking, reading, Sverige AB and Watson [2016] ECLI:EU:C:2016:970, para 101. and speaking with confidants before our ideas are 74 JE Cohen, ‘A Right to Read Anonymously: A Closer Look at 73 Copyright Management in Cyberspace’ (1995) 28 Connecticut ready for public consumption.’ Along similar lines, Law Review 981. 74 Cohen argues for a ‘right to read anonymously.’ 75 See, Jon Penney, ‘Chilling Effects: Online Surveillance and Wikipedia Use’ (2016) 31(1) Berkeley Technology Law Journal, Chilling effects are hard to prove empirically. Nev- art 5; Alex Marthews and Catherine Tucker, ‘Government Surveil- ertheless, there is some evidence that surveillance by lance and Internet Search Behavior’ (29 April 2015) accessed 7 September 2017. 76 A survey by Cranor and McDonald in 2010 suggests behavioural fect. More empirical research is needed into chilling targeting has a chilling effect, but the research concerns declared effects resulting from commercial tracking and sur- (not revealed) preferences. McDonald and Cranor (n 19). veillance. If a chilling effect occurred in relation to 77 As noted, the Dutch Data Protection Authority criticised the public broadcaster for using a tracking wall. Dutch Data Protec- reading about news and politics, it could threaten our tion Authority (Autoriteit Persoonsgegevens), ‘Beantwoording democratic society. This could be an argument to con- Kamervragen i.v.m. cookiebeleid NPO’ (31 January 2013) 5 accessed 7 September 2017. 78 Recommendation CM/Rec(2007)3 of the Committee of Ministers b. Institutions with a Public Mission: Media to member states on the remit of public service media in the information society (31 January 2007) para 1(a). See also, arts 2(f) and 3 Dutch Media Law. Specific rules should be considered for public service 79 art 16 Charter of Fundamental Rights of the European Union. media.77 Tracking walls for public service media can 80 See Interactive Advertising Bureau Europe, ‘Position on the conflict with the mission of the public service media. proposal for an ePrivacy Regulation’ (Position paper, 28 March According to the Council of Europe, public service 2017) accessed 7 September media should promote democratic values, and should 2017. EDPL 3|2017 Tracking Walls, Take-It-Or-Leave-It Choices 13

A ban of tracking walls on news websites could tion’ if they have to pay for privacy.84 In a EU-wide lower behavioural advertising income for news pub- survey, 74% finds ‘paying not to be monitored when lishers, at least in the short term. However, as noted, using a website’ unacceptable.85 Hence, a legal re- in the long term, behavioural advertising may dimin- quirement for a tracking-free version of websites that ish profit for news websites.81 And even if tracking- people must pay for with money has drawbacks. Nev- based or behavioural advertising were not allowed, ertheless, such a requirement could give many peo- other types of online advertising, such as contextual ple more choice: now a tracking-free version is often advertising, would still be possible. not available at all. Nevertheless, lawmakers should be cautious with Media law could also incorporate the conditions rules that reduce income for news websites. A ban that need to be fulfilled to safeguard media users’ in- on tracking walls for news websites would require terests and broader societal objectives. Privacy rules further debate and research. For instance, it would in media law would not be a complete novelty. Un- be hard to define the scope of the ban. Should the der the German Telemedia Act, a ban apply to political blogs, or to online newspapers service provider must enable the use of telemedia that only gossip about celebrities? and payment (…) to occur anonymously or via a Lawmakers could also take less drastic measures pseudonym where this is technically possible and than banning tracking walls. For instance, lawmak- reasonable. The recipient of the service is to be in- ers could require publishers to offer a tracking-free formed about this possibility.86 version of their website, which visitors must pay for with money.82 (As noted, online advertising is possi- In sum, media policy arguments can be taken into ble without tracking and data collection. Hence, a account when regulating tracking walls. tracking-free version could still contain advertising.) However, as the European Data Protection Super- c. Professional Secrecy visor notes, ‘privacy is not a luxury but a universal right and it should not only be available to those with Specific rules could also be considered for parties the means to pay.’83 And many people say it is ‘extor- with professional secrecy requirements, such as doctors, lawyers, and accountants. For instance, hospital websites should not use tracking walls. A patient

81 See s II. should be able to make an appointment with a can- 82 Peter Traung, ‘The Proposed New EU General Data Protection cer specialist through a hospital website, without Regulation: Further Opportunities’ (2012)(2) Computer Law fearing that marketing companies see that the patient Review International 33, 42; Helberger (n 41). See also, European Commission, ‘Summary report on the public consultation on the does so. In the medical sector, there is a long tradi- Evaluation and Review of the ePrivacy Directive’ (Consultation tion of protecting personal data regarding health, as Results, 4 August 2016) Question 22 accessed 7 September 2017. doctors to keep patient information confidential. 83 European Data Protection Supervisor, ‘EDPS Opinion on coherent Medical secrecy protects individual privacy interests enforcement of fundamental rights in the age of big data’ (23 of patients, and a public interest: the trust in med- September 2016) 16 accessed 28 ical services. As the European Court of Human September 2017 . Rights notes: 84 See McDonald and Cranor (n 19) 27. The protection of personal data, in particular med- 85 Commission, ‘Flash Eurobarometer 443’ (n 22) Question 5.3 ical data, is of fundamental importance to a per- (95/T.26). 86 art 13(4) No 6 of the German Telemedia Law (Telemediendienste- son’s enjoyment of his or her right to respect for Gesetz). private and family life as guaranteed by Article 8 87 Martine Ploem, ‘Tussen Privacy en Wetenschapsvrijheid. Reguler- of the Convention. Respecting the confidentiality ing van Gegevensverwerking voor Medisch-Wetenschappelijk Onderzoek’ [Between Privacy and Scientific Freedom. Regulation of health data is a vital principle in the legal sys- of Data Processing for Medical Scientific Research] (PhD thesis, tems of all the Contracting Parties to the Conven- University of Amsterdam) (SDU 2004) 129-133. tion. It is crucial not only to respect the sense of 88 I v Finland App no 25011/03 (ECtHR,17 July 2008) para 38. See along similar lines, Z v Finland App no 22009/93 (ECtHR, 25 privacy of a patient but also to preserve his or her February 1997) para 95 and European Union Civil Service Tri- confidence in the medical profession and in the bunal, Civil Service Tribunal Decision F-46/095, V & EDPS v 88 European Parliament (5 July 2011) paras 123 and 163. health services in general. 14 Tracking Walls, Take-It-Or-Leave-It Choices EDPL 3|2017

At a minimum, hospital websites should give people confidentiality rules, and the public sector. A black the chance to visit a tracking-free version of the web- list of circumstances in which tracking walls are site.89 As noted, the Article 29 Working Party pro- banned, should be non-exhaustive. In other words: posed a ban of tracking walls on sites that expose vis- depending on the circumstances, a tracking wall can itors’ special categories of data (sensitive data) to make consent involuntary (and thus invalid), even if tracking companies.90 Such a ban would also lead to the situation is not explicitly included on the black the conclusion that hospitals cannot use tracking list. walls. In sum, a ban on tracking walls seems appro- The lawmaker could consider supplementing the priate for hospital websites. The European Con- black list (with prohibitions) with a grey list. If a sit- sumers’ Organisation goes further, and says: ‘Track- uation is on the grey list, there is a legal presumption ing and profiling technologies in health-related web that a tracking wall makes consent involuntary, and sites should not be allowed.’91 therefore invalid. Hence, the legal presumption of It would be hard to phrase such prohibitions in a the grey list shifts the burden of proof. For situations way that does not make them over or under inclusive. on the grey list, it is up to the company employing How to define ‘health related’ websites? Is it enough the tracking wall to prove that people can give ‘freely if the website presents itself as a health-related web- given’ consent, even though the company installed a site, for instance by including a picture of a doctor in tracking wall. Some consumer protection laws use a a white coat? And would a prohibition of using any similar system, with a black list (illegal practices) and ‘healthdata’forbehaviouraltargetingalsocovertrack- a grey list (practices presumed to be illegal).96 The ingofdailyvisitstoawebsitewithglutenfreerecipes? situations we discussed in our circumstance catalogue, with circumstances in which the voluntariness d. Public Sector of consent is questionable, could be included on the grey list. Specific rules could also be considered for the public sector. There are precedents: in the Netherlands, trackingwallsonpublicsectorwebsitesarebanned.92 3. Option (iii): Ban Tracking Walls Indeed, people should be able to visit public sector Completely websites without exposing themselves to web-wide tracking. In practice, public sector websites might A third option is banning tracking walls completely. use third party widgets such as social media but- Both the Article 29 Working Party and the European tons.93 The public sector body might not realise that it exposes visitors to web-wide tracking when it includes such widgets on its website. 89 See, Article 29 Working Party, ‘Opinion 03/2016 on the evaluation and review of the ePrivacy Directive (2002/58/EC)’ (n 66) 17; More generally, it is debatable whether it is appro- Bart Jacobs, ‘Klantverraders’ [Customer snitches] (PI.lab, 13 priate for public sector bodies to allow web-wide December 2015) accessed 7 September 2017. 90 Article 29 Working Party, ‘Opinion 03/2016 on the evaluation – even if people consent. The lawmaker could con- and review of the ePrivacy Directive (2002/58/EC)’ (n 66) 17. sider banning all web-wide tracking on public sector 91 European Consumer Organisation BEUC, ‘Data Protection Regu- websites. The exact scope of such a ban would require lation. Proposal for a Regulation’ (BEUC Position paper, August 2012) 8 accessed 7 September 2017. organisationsthatarepartlyfundedbythestate?And 92 art 11.7a(5) Telecommunications Act (Telecommunicatiewet). See in English, Eleni Kosta, ‘The Dutch regulation of cookies’ (2016) some site-wide tracking could be necessary for web- 2(1) European Data Protection Law Review 97. 94 95 site security, or useful for website analytics. 93 To illustrate: Van Der Velden found third party tracking on many Dutch governmental websites. Lonneke van der Velden, ‘The third party diary: tracking the trackers on Dutch governmental web- e. A Black List and a Grey List sites’ (2014) 3(1) NECSUS European Journal of Media Studies 195. 94 See also, Case C-582/14 Patrick Breyer v Bundesrepublik To sum up: bans should be considered for tracking Deutschland [2016] ECLI:EU:C:2016:779. walls, at least in certain circumstances. As a starting 95 See art 8(1)(d) ePrivacy proposal. point for a discussion, we discussed public service 96 See the gray list in the annex of the Unfair Contract Terms Direc- tive (Council Directive 93/13/EEC of 5 April 1993 on unfair terms media, commercial media, professions with specific in consumer contracts [1993] OJ L 095/0029). EDPL 3|2017 Tracking Walls, Take-It-Or-Leave-It Choices 15

Data Protection Supervisor call for a complete ban.97 information they have about the visitor. Sites may The European Parliament’s rapporteur for the ePri- continue to use third-party ad networks to serve vacy Regulation, Lauristin,98 and civil society organ- ads, but those third parties must be forgetful; they isations also argue for a complete ban on tracking may not store any user data across ad requests.103 walls.99 It appears that a complete ban on tracking walls would be popular among the general public. Such a ban on web-wide tracking would probably im- Our survey shows that many people think tracking prove the protection of privacy and personal data. walls are unfair and unacceptable.100 An additional advantage of a complete ban is its sim- If tracking walls were banned, a website publish- plicity and legal clarity. However, we do not discuss er could still ask visitors whether they want to be the option of banning all web-wide tracking in detail tracked for targeted advertising. The main effect of here. A complete ban on web-wide tracking has draw- the ban would be that the publisher could not offer backs. For example, some people might prefer target- people a take-it-or-leave-it choice regarding web-wide ed (tracking-based) ads to non-targeted ads.104 And a tracking (third party tracking). We emphasise that a ban on web-wide tracking would interfere with many ban on tracking walls would not interfere with cook- business models. We think it makes sense to start ies that can be set without consent (for instance for with lighter measures than a complete ban on web- a service requested by the end-user).101 Generally wide tracking. If such lighter measures do not lead speaking, the ban on tracking walls should probably to appropriate protection of privacy and other fun- only apply to web-wide tracking. damental rights, a complete ban could be considered. In conclusion, we think that the lawmaker should seriously consider option (ii), a partial ban of track- 4. Option (iv): Ban All Web-Wide Tracking ing walls, and option (iii), a complete ban on tracking walls. An advantage of option (ii) is that banning A fourth option is more extreme: ban all web-wide tracking walls only under certain circumstances is a tracking (third party tracking). Some have argued for more nuanced approach than completely banning such a prohibition. For instance, according to securi- them. The partial ban (the black list) could be com- ty technologist Schneier it is ‘vital’ to adopt such a plemented with a grey list (circumstances in which ‘ban on third party ad tracking’. He adds: ‘it’s the com- tracking walls are presumed to be illegal). A disad- panies that spy on us from website to website, or vantage of option (ii) is that the nuance comes at the from device to device, that are doing the most dam- cost of legal clarity. A major advantage of option (iii), age to our privacy.’102 Along similar lines, Ceglowski a complete ban of tracking walls, is that such a rule argues for these rules: could be phrased in a relatively clear and straightfor- Sites showing ads may only use two criteria in ad ward way. Hence, a complete ban would provide targeting: the content of the page, and whatever more legal clarity than a partial ban.

97 Article 29 Working Party, ‘Opinion 01/2017 on the Proposed ber 2017; La Quadrature du Net, ‘Recommendations of La Quad- Regulation for the ePrivacy Regulation (2002/58/EC)’ (n 7) 15; rature du Net on the revision of the eprivacy Directive’ (6 March European Data Protection Supervisor 2017/6, ‘EDPS Opinion 2017) accessed 5 May 2017. ic Communications (ePrivacy Regulation)’ (24 April 2017) 17 accessed 7 September 2017. 101 See the exceptions in Article 5(3) of the ePrivacy Directive and 98 Committee on Civil Liberties, Justice and Home Affairs, Draft Article 8(1) of the ePrivacy proposal. Report on the proposal for a regulation of the European Parlia- 102 Schneier, ‘The Internet of Things That Talk About You Behind Your ment and of the Council concerning the respect for private life Back’ (8 January 2016) accessed on 31 August 2017. Electronic Communications) (COM(2017)0010 – C8-0009/2017 – 2017/0003(COD)), 9 June 2017 accessed 7 September 2017. _amaze_you.htm> accessed 7 September 2017. 99 European Digital Rights, ‘EDRi’s position on the proposal of an e- 104 See, Blase Ur et al, ‘Smart, Useful, Scary, Creepy: Perceptions of privacy regulation’ (April 2017) accessed 7 Septem- sium on Usable Privacy and Security ACM, 2012) 4. 16 Tracking Walls, Take-It-Or-Leave-It Choices EDPL 3|2017

VIII. Take-It-Or-Leave-It Choices in stance, some websites install tracking walls, barri- Other Contexts ers that visitors can only pass if they click ‘OK’ to a request to place tracking cookies to monitor their We focused our discussion on one specific type of online behaviour. Our survey in the Netherlands take-it-or-leave-it choices: tracking walls. But take-it- shows that most people think tracking walls are un- or-leave-it choices regarding privacy also occur in oth- fair and unacceptable. But if people encounter such er situations. For instance, chat and email services of- tracking walls, they are likely to consent, even if ten require users to agree to a data use policy – if peo- they think it is not fair that they have to disclose ple do not agree, they cannot use the service. An app personal data in exchange for using a website or might require access to the camera or the contact list other service. on an end-user’s phone, while that access is unnec- European data privacy law gives a central role to essary for providing the service. A ‘smart’ TV might informed consent of the internet user. For valid con- listen to the sounds in people’s living rooms, and sent, the GDPR requires a ‘freely given’ indication of might only work when people ‘consent’ to that. In- wishes. The exact meaning of ‘freely given’ is unclear. ternet of Things equipment may only work if people We suggested a list of circumstances to consider ‘consent’ to data collection for marketing. when assessing whether a tracking wall is allowed We call for a more general debate on the appropri- under the GDPR. We also gave starting points for a ateness of such take-it-or-leave-it choices. The EU law- broader debate: perhaps more legal intervention is maker should consider adopting additional rules re- needed. A partial or complete ban of tracking walls garding take-it-or-leave-it choices regarding privacy should be considered. More generally, research and that do not concern tracking on websites.105 In the debate is needed on take-it-or-leave-it choices regard- shorter term, the Article 29 Working Party or the Eu- ing privacy. ropean Data Protection Board could adopt guidance on the interpretation of the GDPR’s requirements for valid and ‘freely given’ consent.106

105 The EDPS suggests a specific provision that bans take-it-or-leave- it choices regarding privacy and personal data in the context of the Internet of Things. European Data Protection Supervisor (n 97) IX. Conclusion 18. 106 The Article 29 Working Party plans to publish guidance on On the internet, many companies offer people take- ‘consent’ in 2017: ‘Adoption of 2017 GDPR action plan’ (16 January 2017) accessed 7 September 2017.